How Somebody “Hacked” Telegram

Russian Telegram staff likes it when somebody raises a security issue with them. They reckon that the fact that they make contests where anyone can find weaknesses in their method of encryption help them deliver their service better. Russian Telegram top management even rewards people for offering them ways to make the IM app more protected than it is now.

Last month they gave $5,000 to a man who brought up an issue, which potentially could prove to be a vulnerability in the Russian Telegram version for Andriod. This month Russian Telegram transferred $2,500 to a company, which spotted weaknesses in Russian Telegram iOS code. In 2013, a person sent them a message where he indicated a vulnerability in the MTProto design and got a reward of $100,000. The Russian Telegram team are usually the first to admit and eliminate any bugs that somebody spots in their IM app.

Supposing, I get hold of root access…

Last month somebody sent to Russian Telegram the following message: “what if an intruder had root access to a user’s Android smartphone, messages in Russian Telegram would not be secure”.

Of course, in Russian Telegram they did not even bother to reply.

[quote color=”#ffffff” bgcolor=”#4a525d”]Because should an intruder by some miracle get hold of root access to one’s smartphone, any further discussions about security would be pointless. This means the intruder will already have full access to any part of your phone and will be able to see the same picture as you do on your device.[/quote]

All experts in the security field could take it as a silly joke; however, this did not prevent the guy who proved to be the director of an unknown company Zimperium hanging a post in his blog. The provocative article was called “How I have hacked Telegram’s ‘encryption’”.

How I managed to “hack” the encryption in Russian Telegram

In his post, the Zimperium director claimed that since an intruder is able to read the memory of the device, Russian Telegram messages must be kept encrypted in the smartphone. This “advice” contains a clear paradox. It implies that the key to the encrypted messages would also be kept on the smartphone (it would be impossible to show chat on the smartphone screen otherwise).

Therefore, the idea of the “solution” proposed was to make messages encrypted purely for the sake of encryption. This would make delusive safety in the totally lost game with root access involved, also forcing the CPU to work harder and the phone accumulator to waste its power.

The aforementioned post also contained a sales pitch on the software produced by Zimperium. How would you like that?

Marked as “Rubbish” by the Media and Internet Society

Naturally, big media did not appreciate this hidden attempt of advertising – having gone deep into the subject, Forbes and other magazines found the topic of the post amusing. An expert from the Electronic Frontier Foundation summarized the opinion of the Internet crypto community in her comment, saying that if somebody says that they can break encryption through compromising the endpoint, that means they haven’t really broken anything.

A member of the Cloud Security Team had a go at making the situation clear for those who are not part of the security community. He wrote that he may dislike Russian Telegram but this messaging app has not been hacked by anyone yet. More comments of the similar kind followed.

Bullshit Bingo Switched On

Whether the topic of security faults may be exploited or not, it is always possible to take advantage of naïve media and exploit topics that users are afraid of. Despite the fact that experts in the field of Internet security have knocked the bottom out of the claim, smaller magazines fell for it. They began to publish news with headlines, saying that Russian Telegram has been hacked, that there are flaws in this widely promoted messaging app, that the data protection it offers is compromised and now it can hardy compete with SSL.

The blogs or newspapers that wrote the aforementioned articles have not actually looked into facts or bothered conducting a research. In spite of the fact that the Russian Telegram team was willing to comment on this topic in Twitter or give any other reply visible to the public, hardy any reps of mass media were interested in getting the right information about this issue. Zimperium hid all the comments to its original post but left a field for comments, though, thus making it look as if one can leave a comment – an illusion for readers who, most certainly, would have expressed their opinion if given a chance. In the end, the post about “hacking the Russian Telegram Messenger” received around 5,000 likes and was retweeted by more than 3,000 users.

Something to Think About

Now that we live in time when marketing becomes more important than fact checking, we all have to be cautious. Journalists should give more time to looking deep into facts, young online companies like Russian Telegram should promote themselves better and in a proactive way, and users/readers have to be careful about what they read when it comes to reports about famous startups and big companies. If we are not careful enough, there will always be someone to turn the lack of facts as well as our fears against us.